The World Wide Web of the Internet is the most successful distributed application in the history of computing. In the Web environment, client machines effect transactions to Web servers use the Hypertext Transfer Protocol (HTTP), which is a known application protocol providing users access to files (e.g., text, graphics, images, sound, video, etc.) using a standard page description language known as Hypertext Markup Language (HTML). HTML provides basic document formatting and allows the developer to specify "links" to other servers and files. In the Internet paradigm, a network path to a server is identified by a so-called Uniform Resource Locator (URL) having a special syntax for defining a network connection. Use of an HTML-compatible browser (e.g., Netscape Navigator) at a client machine involves specification of a link via the URL. In response, the client makes a request to the server identified in the link and receives in return a document formatted according to HTML.
Many organizations use multiple computers interconnected into a distributed computing environment in which users access distributed resources and process applications. A known distributed computing environment, called DCE, has been implemented using software available from the Open Systems Foundation (OSF). As DCE environments become the enterprise solution of choice, many applications may be utilized to provide distributed services such as data sharing, printing services and database access. OSF DCE includes a distributed file system, called Distributed File Services (DFS), for use in these environments.
DFS provides many advantages over a standalone file server, such as higher availability of data and resources, the ability to share information throughout a very large-scale system, and protection of information by the robust DCE security mechanism. In particular, DFS makes files highly available through replication, making it possible to access a copy of a file if one of the machines where the file is located goes down. DFS also brings together all of the files stored in various file systems in a global namespace. Multiple servers can export their file system to this namespace. All DFS users, in the meantime, share this namespace, making all DFS files readily available from any DFS client machine.
It would be highly desirable to extend the functionality of existing standalone Web servers in the enterprise environment to take advantage of the scalability, file availability and security features of DFS (or other similar distributed file systems). As a by-product, users with an off-the-shelf browser would be able to easily access the Web information stored in the DFS namespace with no additional software on the client machine. Before this goal can be achieved, however, it is necessary to integratethe security mechanism provided by the Web Server with conventional DFS security. One of the alternatives is to use the Basic Authentication scheme (provided by the Web server) to obtain the userid and password for each HTTP request. However, using the known basic authentication scheme in the context of DFS has several problesm.
In particular, user ids and passwords are passed on every request. Thus, they are more likely to be attacked by intruders even if passwords are protected by some encryption mechanism (for example, SSL). Secondly, it is difficult for the DFS and Web server security mechanisms to coexist. The browsers will memorize the userid and password sent to a specific server and the id and password will be attached to every HTTP request sent to that server. If a mechanism is provided for having the Web server access the distributed file system, the Web server will maintain both the documents stored on the server local directory (protected by Web server security) and DFS (protected by DFS security). From the browser's perspective, the Web server is a single server and will only remember one pair of userid and password for the Web server. If a user is browsing both DFS documents and Web server documents, he or she will be prompted for userid and password every time there is a switch from DFS document to Web server document, and vice versa. Finally, only limited error information can be returned to the user when DFS authentication fails.
These problems make the known basic authentication scheme ill-suited for integrating Web server and DFS security mechanisms.
The present invention solves this problem.